and/or enter a company name, postcode or keyword

GDPR - Direct marketing as a legitimate interest

"Legitimate interests" is a sensible concept. It means that when you look at the overall needs and rights of data controller and data subject, there will be times where you don’t need to ask for consent to collect, store, use, disclose, process, destroy or otherwise “process” personal information.

For example, during an online purchase you have to provide contact, payment and address information, and the seller will have to record your transaction. It would be unnecessarily obstructive, annoying and off-putting for the seller to have to explain this and to obtain a record that the purchaser understood and agreed to this data collection and use. Of course there may be an option to use third-party payment services, sign up for an account, save details, sign up to marketing and more. But some basic information is necessary to fulfil a transaction, and is both “legitimate”, expected and should not be obstructed by a consent statement.

Within the GDPR text one single phrase has vexed me for months:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest

It’s vexing because it is the last sentence in an otherwise well-defined section. And that’s where it ends; the teaser at the end of the credits. It’s vexing because it’s easy to ignore the rest of the GDPR recitals and articles and read that sentence as “you don’t need consent for email marketing because it’s a legitimate interest”.

But if you think that you're reading this the wrong way round. Let me explain:

You have a collection of signup process for your marketing program. Through those processes you have contact details and other data provided by your customers and prospects which you use to generate or populate that marketing. Through those processes you can demonstrate clear and specific consent. Now let’s read that previously-vexing sentence again from this starting point:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest

How I read this is (annotated by me):

The [collection and use] of personal data [such as email address, name, interests and preferences] for direct marketing purposes may be regarded as [being] carried out [under the consent you’ve already obtained for marketing]

e-Privacy trumps data protection

What this statement is doing is actually reiterating that there are higher permission standards for digital marketing.

If you have data legitimately collected for direct marketing you must already have fulfilled the higher standards set by the e-Privacy directive (and PECR in the UK); so of course you can process that data for direct marketing.

It's not saying that legitimate interests is a basis for direct marketing activities without consent.

I generally think you got to the right place but I am not convinced by how you got there.

The phrase "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest" is not vexing at all. In fact, it is remarkably clear for European legislative language. Direct marketing is a legitimate interest and there for does not need an opt-in - full stop, crystal clear. If GDPR was the only law of the land then we would be back to the wild west days of opt-out email rather than the current opt-in regime. GDPR however, is not the only European law or regulation that covers the email marketing industry. The EU e-Privacy Directive was written to sit on top of the old Data Protection Directive and it sets a higher standard for direct marketing via email and SMS. While the current e-Privacy directive does not sit well on the new GDPR, it's fundamental principles have not changed and therefor email is still opt-in. Throughout the spring, there was a public consultation on the e-Privacy Directive with a view to adapt it based on technological advancements, support the Digital Single Market Strategy and bring it into line with the GDPR. Those responding to the consultation overwhelmingly feel that special privacy rules are needed for the electronic sector and that the current language has not achieved its objective. I suspect that the e-Privacy Directive will be rewritten and most likely get upgraded from a directive to a regulation.

In essence, your argument presupposes that the e-Privacy Directive exists and therefor it would not be possible under GDPR to legitimately collect email without an opt-in. While that is true, should the e-Privacy Directive go away, then GDPR would not enforce an opt-in. Put another way sending an email in the UK without an opt-in would not contravene GDPR but would contravene PECR. The only way GDPR would come into play is if an enterprising enforcement person at the ICO wanted to levy a significantly higher fine.

Remember that the GDPR covers data collection, storage and use; how that data is protected while in your control; how data subjects control the quality, use, disclosure and destruction of that data.

You need a legal basis for collecting, storing and using personal data. Full stop!

Think of web browsing and purchase data, linked to an individual:

If you record page and product views, the device used and the location of the browsing; and you build up a profile based on this location and behaviour and it’s linked to an individual – this is a common scenario convered by the GDPR.

If you have marketing consent, that marketing consent may already cover that behavioural profiling:

The question to ask is: If you don’t have marketing consent what is your justification (the legitimate interest that you can prove) for collecting and processing personal data?

The next instalment of our downloadable infographic series from the DMA's Email Council on email marketing tackles how to boost the response to your email campaign. Read on for more.

Now that the whole GDPR run-up is over, catch your breath and give yourself the time to read a new book. No worries - same encyclopaedia, just a new title to talk about the data privacy law’s first impact, its multifaceted complexity and future developments.